CCNP Switching Exam Notes: Troubleshooting, Switch Port Security, Pvlans Features

36.0 Inline power is available on Catalyst 3550-24-PWR, Catalyst 4500, and Catalyst 6500 switches.

37.0 The interface configuration command used to select the voice VLAN mode that will be used is given below:
switch(config-if)# switchport voice vlan {vlan-id | dot1p | untagged | none}
vlan-id: here the PC data is carried on native VLAN and the voice packets are carried on a separate voice vlan.
Dot1p: here the PC data is carried on native vlan and voice packets are carried on vlan 0.
Untagged: here both PC data and voice packets are carried on the native vlan. No separate voice vlan is required.
The default condition for every switch port is none, where a trunk is not used. All other modes, except 'none' use special 802.1Q trunk.

The command 
Switch# show power inline [type <mod>/<num>]
Can be used to verify the inline power status for a switch port.

Three normally used methods to verify user credentials at a switch port are:
a. By using locally configured username and password
b. By using RADIUS authentication
c. By using TACACS+ authentication.

1. To configure username and password locally, use the command at global configuration mode of the switch:
Username <username> password <password>
2. To define authentication using RADIUS, use the command
Radius-server host {<hostname | <ip-address>} [key string] 
to define the server along with its secret shared password.
3. Define a group name that will contain a list of servers using the command:
Switch(config)# aaa group server {radius | tacacs+) <group-name>
4. Now, define each server of the group by using the command:
Switch(config)# server <ip-address>
If you have more than one RADIUS or TACACS servers, repeat the above command for each server.

You use the command
login authentication {default | listname} 
to trigger user authentication on that line to use an AAA method list.

Catalyst switches provide port level security by use of MAC addresses to control access to a switch port. The command 
Switch(config-if)# switchport port-security 
enables the port security on a switch.
To statically define one or more MAC addresses that are allowed on a switch interface, use the command:
Switch(config-if)# switchport port security mac-address <mac address>
For example, to allow the mac address 0013.0002.0023, use the command:
Switch(config-if)# switchport port security mac-address 0013.0002.0023
You can set the maximum number of MAC addresses that could be allowed on a port by using the command:
Switch(config-if)# switchport port-security maximum <max-number-of-mac-addresses>
To allow a maximum of 2 MAC addresses to access a switch port,
Switch(config-if)# switchport port-security maximum 2
By default, one MAC address is allowed access on each switch port.

38.0 The following are true about switch port security:
1. The IEEE standard 802.1x defines the switch port security. Most of the Catalyst class of switches supports this standard. However, end user PC should also comply with the standard for implementation.
2. When you enable port security on a switch, by default only one MAC address can be learned. To allow more than one MAC address on a switch port simultaneously, use the command: 
port-security maximum <max-number>.
3. You can either define the allowed MAC addresses statically or allow the port to learn the MAC addresses. If you define only part of maximum allowed MAC addresses statically, the remaining MAC addresses are learned dynamically. This may lead to security breach if misused.

39.0 The following are true about PVLANs:

1. There are three types of private VLAN ports: promiscuous, isolated, and community. 

1.1 Promiscuous port: A promiscuous port communicates with all other PVLAN ports, and is the port typically used to communicate with external routers, servers, administrative workstations, etc. 
1.2 Isolated port: An isolated port has complete L2 separation, including broadcasts, from other ports within the same PVLAN, with the exception of the promiscuous port. Traffic received from an isolated port is forwarded to all promiscuous ports only. None of the other isolated ports receive traffic from another isolated port.
1.3 Community port: Community ports can communicate among themselves and with their promiscuous ports. Community ports are isolated at L2 from all other ports in other communities, or isolated ports within their private VLAN. Broadcasts are forwarded only between associated community ports and the promiscuous port.

2. Switches that use PVLANs must be configured for transparent VTP mode.
3. Isolated ports can only forward traffic to promiscuous ports.
4. In a PVLAN, promiscuous ports are called the primary VLAN, while community and isolated ports are called secondary VLANs.
5. A PVLAN will only have one primary VLAN, but may have several secondary VLANS.

40.0 The command sequence to map the promiscuous ports to primary and secondary VLANs are as given below: 

switch(config)# interface fastethernet 3/9
switch(config-if)# switchport mode private-vlan promiscuous
switch(confgi-if)# switchport private-vlan mapping 100, 10,20

<--Previous   0 1 2 3 4 5 6 7 8 9   Next-->

Please visit our sponsor: images-used/se-banner125X125.gif